Skip to main content

veracode static scan

Runs a Veracode Static Analysis scan and outputs any flaws found as a JSON file. This command returns exit code 3 if any flaws are found matching the specified criteria.


veracode static scan <file_path> [flags]


file_pathLocation of the package file that contains your application source code. Ensure the file meets the packaging requirements.


--app-idApplication profile ID for the application you want to upload and scan.
--baseline-fileLocation of a JSON file with results from a previous scan. Default filename is result.json. To create a baseline file, include --results-file. The new results only include flaws not listed in the baseline file.
--fail-on-cweComma-separated list of CWE IDs. The scan results only include flaws of the specified CWEs.
--fail-on-severityComma-separated list of severities. The results only include flaws of the specified severities. By default, all severities are included. Values are Very High, High, Medium, Low, and Very Low.
--development-stageDevelopment stage when the scan runs. Values are case-sensitive: Development, Testing, Release
-h, --helpHelp documentation.
--gl-issue-generationEnter true to create GitLab issues from discovered flaws. Default is false. Before you can use this flag, you must configure GitLab.
--gl-vulnerability-generationEnter true to create a JSON file from the scan results. GitLab automatically imports the flaws from the JSON file as vulnerabilities. Default is false. To use this flag, you must define the paths and reports settings in the GitLab CI.
--includeEnter a case-sensitive, comma-separated list of name patterns that represent the names of the modules to scan as top-level modules. Veracode identifies these modules during prescan. The * wildcard matches zero or more characters. The ? wildcard matches exactly one character. For example, to include various module names that contain module: --include "module 1, module-*, module2.jar"
The scan results show the names of the modules that Veracode identified and the modules included in the scan. This flag does not pause, stop, or impact the performance of your pipeline.
--policy-fileName of a local policy file you want to apply to the scan results. To download a policy, use the policy command.
--project-nameName of the CI/CD repository running a scan. This flag adds the repository name to the scan results, which can help track scans across repositories.
--project-refSource control reference, revision, or branch of the CI/CD repository running a scan.
--project-urlURL of the CI/CD repository running a scan.
--results-fileFilename or location to save the scan results as a JSON file. By default, the results are saved to ./results.json.
--summary-outputFilename or location to save the scan results as a human-readable file. This file is not saved by default.


To scan a Java JAR file and output flaws to results.json, run:

veracode static scan my_java_application/build/project.jar

To scan a Python ZIP file and filter the results by severity and CWE ID, run:

veracode static scan --fail-on-cwe "89,117"  --fail-on-severity "Very High, High"

To scan a Java class file but only include results not included in a baseline file, run:

veracode static scan my_java_application/build/IgnoreCommand.class --baseline-file "baseline-results.json"

To create a baseline file and use it in a subsequent scan, run:

veracode static scan example.jar --results-file "baseline.json"
veracode static scan example.jar --baseline-file "baseline.json"

To scan a Python ZIP file and apply policy Veracode Recommended High, run:

veracode static scan --policy-file "Veracode Recommended High.json"